[openssl-dev] OpenSSL HEAD breaks OpenConnect VPN client
Matt Caswell
matt at openssl.org
Mon Feb 16 20:23:50 UTC 2015
On 16/02/15 17:33, David Woodhouse wrote:
> On Mon, 2015-02-16 at 13:25 +0000, Matt Caswell wrote:
>> That sounds like a bug. I can't think of a reason why this should
>> exclude DTLS.
>
> This fixes it to work with DTLS1_BAD_VER too:
>
> diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c
> index 3eaee1d..6e20a1f 100644
> --- a/ssl/ssl_asn1.c
> +++ b/ssl/ssl_asn1.c
> @@ -396,7 +396,8 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
> os.data = NULL;
> os.length = 0;
> M_ASN1_D2I_get_x(ASN1_OCTET_STRING, osp, d2i_ASN1_OCTET_STRING);
> - if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR) {
> + if ((ssl_version >> 8) >= SSL3_VERSION_MAJOR ||
> + ssl_version == DTLS1_BAD_VER) {
> if (os.length != 2) {
> c.error = SSL_R_CIPHER_CODE_WRONG_LENGTH;
> c.line = __LINE__;
>
>>> So I'm going to need to fix *something* in OpenSSL HEAD to make this
>>> work again. Should I do the minimal "fix" to make d2i_SSL_SESSION() work
>>> for DTLS1_BAD_VER, or introduce a new API for setting the fields we need
>>> to fake a session resume?
>>>
>>
>> What fields do you need access to? It would be good if you could
>> document them on the wiki page here:
>> https://wiki.openssl.org/index.php/1.1_API_Changes
>
> I've updated
> https://wiki.openssl.org/index.php/1.1_API_Changes#Things_that_Broke_in_OpenConnect
>
> I can either update my code to create the ASN.1 for itself and use
> d2i_SSL_SESSION() relying on the patch above, or I can implement the
> 'alternative' new function if that's preferred.
>
Ok. Thanks. I'll take a look at this and see what can be done.
Matt
More information about the openssl-dev
mailing list